I cover the video game industry, write about gamers, and review video games.
You can follow me on Twitter and hit me up there if you have any questions or comments you'd like to chat about.
Disclosure: Many of the video games I review were provided as free review copies. This does not influence my coverage or reviews of these games.
I do not own stock in any of the companies I cover. I do not back any Kickstarter projects related to video games. I do not fund anyone in the industry on Patreon.

Blizzard Responds To Class Action Lawsuit Over Security Concerns

Blizzard responds to a class action lawsuit over the game developer and publisher’s security methods.

A class action lawsuit has been filed against video game maker Blizzard, the creators of Diablo III, World of Warcraft, and Starcraft.

The lawsuit alleges that the company “fails to disclose to consumers that additional products must be acquired after buying the games in order to ensure the security of information stored in online accounts that are requisites for playing,” according to a press release from law firm Carney Williams Bates Pulliam & Bowman, PLLC. “This deceptive upselling, coupled with Blizzard’s negligence in maintaining proper security protocols, compromised millions of customers’ email addresses, passwords, answers to personal securityquestions, and other items of sensitive information.”

“Blizzard requires all of its customers to establish accounts with its online gaming service, Battle.net,” according to the firm’s Hank Bates, “but it fails to disclose to consumers, prior to purchase, that they’ll need additional products called authenticators to keep information stored in these accounts safe. Even though the company frequently receives complaints about accounts being hacked, it simply tells the customer to attach an authenticator to their account. Blizzard doesn’t inform people about this requirement when they purchase the game, and that amounts to a deceptive trade practice. Worse still, Blizzard has failed to maintain adequate levels of security for its customers, time and again, which led to a significant loss of private data in Blizzard’s safekeeping.”

Earlier this year, Blizzard confirmed that a security breach had occurred with the possible loss of customers’ personal data. Still, security breach or not, Blizzard says they find the lawsuit absurd.

“This suit is without merit and filled with patently false information,” a Blizzard spokesperson told me in an email, “and we will vigorously defend ourselves through the appropriate legal channels.

“We want to reiterate that we take the security of our players’ data very seriously, and we’re fully committed to defending our network infrastructure. We also recognize that the cyber-threat landscape is always evolving, and we’re constantly working to track the latest developments and make improvements to our defenses.”

Blizzard continues: “The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. You can read our letter to players and a comprehensive FAQ related to the situation on our website.”

Blizzard also disputes claims that the Authenticator is required to achieve a minimal level of ccount security.

“This claim is also completely untrue,” according to Blizzard, “and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.

“When a player attaches an Authenticator to his or her account, it means that logging in to Battle.net will require the use of a random code generated by the Authenticator in addition to the player’s login credentials. This helps our systems identify when it’s actually the player who is logging in and not someone who might have stolen the player’s credentials by means of one of the external theft measures mentioned above, or as a result of the player using the same account name and password on another website or service that was compromised. Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account. However, we always strongly encourage it, and we try to make it as easy as possible to do.”

More to come as this story unfolds.

As critical as I’ve been about the always online requirement in Blizzard’s latest IP, Diablo III, their response to the security breach earlier this year was handled very well. They were open and communicated the issue quickly and effectively to players, and worked hard with law enforcement to figure out what happened. All companies, including banks and online retailers, face security issues similar to the ones Blizzard faces.

Nor does it strike me as very likely that Blizzard’s optional security authenticators will be grounds for legal action—after all, they have no legal obligation to offer these to consumers to begin with.

I admit to being very skeptical of this kind of lawsuit. While I believe consumer protection issues are important, I also think voting with one’s wallet is a better route to take than legal action, especially when it comes to something like video games.

The suit’s plaintiffs seek damages and to prevent Blizzard from “tacking on additional, undisclosed costs to ensure security in the form of a post-point-of-sale Authenticator.”

The suit also demands that Blizzard no longer require Battle.net accounts for any game that’s not an MMO.

This might be a good idea, but it’s not the sort of thing I want to see enforced through litigation. Businesses need to be able to craft their own business plan, even if that means signing up for an online account.Perhaps Blizzard ought to make its Authenticators free of charge—the app versions already are—but there is no way that the service ought to be enforced by a court.

Consumers are free to shop elsewhere, or to play games that have no similar requirement made by companies who they believe offer better security.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

I’ve had a battle.net account since WoW came out and have never had a problem until SC2 came out. After that it kept getting hacked over and over. I get emails from Blizzard saying they locked it, but I don’t trust it at all even though it says it’s from Blizzard’s email address and it goes right into my spam folder. The legit ones don’t. I don’t know how they can be sending me emails from Blizzard’s domain address but they are. I’ve been “hacked” 3 times already. Just one, before the huge security leak, was a real hacking. The rest were someone resetting my password and blizzard locking my account.

I then found out that capital letters aren’t used in the Battle.net passwords. So all the fancy tricks you’re suppose to use, like in my 26 character password, were pointless, so I just downloaded the authenticator app on my phone. I don’t play Blizzard games anymore so I don’t really care too much about it. But the first time I was hacked, I reset my password, then they locked it again, then I had to reset it again, then they locked it again. Took me 72 hours to get my account back after opening a ticket to yell at the support to stop locking it.

Didn’t even get my WoW stuff back from the character I hadn’t played in 6 years.

Frankly, Blizzard has proven to me to have pretty damn good security over the years I’ve played World of Warcraft and now Diablo 3.

Aside from the August case I’ve never heard of a case where Blizzard’s servers were hacked. Most of the time anyone claiming they got “hacked” didn’t get hacked, their account was compromised because they were careless and didn’t follow basic security procedures like having a decent password or making sure you’re not on a phishing site.

In saying this, the “always online” modes never stopped people from creating and using bots and exploits for both World of Warcraft and Diablo 3 (and probably StarCraft, too). So whilst they may have good account protection they still don’t have the best anti-cheat methods.

The lawsuit is bullshit. The information about Authenticators is all over the site, as well as explained when signing up for an account. The person(s) included in this suit are completely ignorant, simpletons and idiots who most likely are just vengeful at disliking Blizzard and D3 in particular…and feel they want payback. The evidence can be found in the Forums of the sight, where people just like this idiot state they had no idea of an Authenticator when signing up, though it is right there in front of them when they do, and simply bypassed it…then try and proclaim they saw nothing about it. Add to that, that the reasons were for numerous possible phishing and key hacking of their own computers, which is under their control..not Blizzard…is why they most likely were hacked.

Basically…they suck at a game that they think sucks, and want something for nothing based on their own idiocy.

They’re talking about retail sales. Customers aren’t notified about the need for a authenticator until after they’ve paid for the boxed version of their game.

For example; Some dude who hasn’t played a Blizzard game since D2 buys the retail version from Gamestop. He isn’t notified about the need for an additional $6.50 purchase of an authenticator until he later goes to the battle.net site to sign up. The need for an additional purchase isn’t specified on the box, and the authenticators aren’t included with the purchase.

That’s what the law suit is about. But if you want to ignore that and continue to ignore the poor security methods used by Blizzard if you don’t get an authenticator, go right ahead.